Eavesdropper Vulnerability Exposes Hundreds of Mobile Apps

Appthority on Thursday
warned that up to 700 apps in the enterprise mobile environment, including
more than 170 that were live in official app stores, could be at risk to due to the Eavesdropper vulnerability.

Affected Android apps already may have been downloaded up to 180 million times, the firm said, based on its recent research.

The vulnerability has resulted in large-scale data exposure, Appthority said.

Eavesdropper is the result of developers hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK, according to Appthority. That goes against the best practices that Twilio
recommends in its own documentation, and Twilio already has reached out to the development community, including those with affected apps, to work on securing the accounts.

Appthority's Mobile Threat Team first discovered the vulnerability back in April and notified Twilio about the exposed accounts in July.

The vulnerability reportedly exposes massive amounts of
sensitive and even historic data, including call
records, minutes of the calls made on mobile devices, and minutes of
call audio recordings, as well as the content of SMS and MMS text messages.

Reducing the Risk

The best approach for an enterprise is to
identify the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive, Appthority suggested.

"Not all conversations involve confidential information, and the nature
of the app's use in the enterprise may not involve data that is
sensitive or of concern," noted Seth Hardy, Appthority director of
security research.

"If the messages, audio content or call metadata turn out to be
sensitive or proprietary, there may not be much that can be done about
exposed conversations resulting from prior use of the app," he told
TechNewsWorld.

"However, a lot can be done to protect future exposures, including either addressing and confirming the fix with the developer, or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability," Hardy said. "In all cases, the enterprise should contact developers to have them delete exposed files."

Sloppy Coding

The Eavesdropper vulnerability is not limited to apps created using
the Twilio Rest API or SDK, Appthority pointed out, as
hard-coding of credentials is a common developer error
that can increase security risks in mobile applications.

"The core problem is developer laziness, so what Appthority found
isn't a particular revelation," said Steve Blum, principal
analyst at Tellus Venture Associates.

"It's just one more example of bad practices leading to bad results,
as it's very tempting for a coder to take shortcuts while developing
an app, with the sincere intent of cleaning things up later," he told TechNewsWorld.

"With apps being developed by a single person or a small team, there
are no routine quality control checks," Blum added. "Right now, it's
up to the stores -- Apple and Android, primarily -- to do QC work, and
I'd bet they're taking a look at this particular problem and might
screen more thoroughly for hard-coded credentials in the future."

For security and privacy to come first, it may be essential for coding in general to go through a paradigm shift, suggested
Roger Entner, principal analyst at Recon Analytics.

"Unfortunately, too often security is seen as a cost center, and
privacy is seen as the revenue generator for the company that develops
the app," he told TechNewsWorld.

"Therefore, apps are often not
secure -- and privacy is nonexistent -- to minimize cost and maximize
revenue," Entner explained. "The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps."

No Easy Fix

One of the most worrisome facts about this vulnerability is that
Eavesdropper doesn't rely on a jailbreak or root of the device. Nor
does it take advantage of other known operating system vulnerabilities.

Moreover, the vulnerability is not resolved after the affected app has been
removed from a user's device. Instead, the app's data remains open
to exposure until the credentials are properly updated.

Some users may purchase phones that are preloaded with apps that
could compromise their personal information.

"Twilio could force developers to update their app code by
invalidating or revoking all access credentials to their compromised
services APIs," Teich told TechNewsWorld.

However, "the sudden impact would be that a lot of valued consumer
smartphone apps and services would simply stop working all at the same
time," he said.

It appears that users have few options, and it could be difficult for
consumers even to have visibility into Eavesdropper-affected apps.

Those who work at a company "can ask their IT security team
for a list of apps that are approved, and then delete vulnerable apps
and install non-Eavesdropper affected apps instead," suggested
Appthority's Hardy.

"The big challenge is how to stop the flow of information from this
breach while still providing access to valued services," said Tirias' Teich.

This situation occurred in no small part because
developers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security.

"Consumers are still too casual about their privacy and opt not to pay," said Recon Analytics' Entner, "instead having their privacy monetized and compromised through sloppily coded apps."

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.